When an attacker compromises a computing system, the attacker can evade discovery most effectively by corrupting the system's detection and signaling mechanisms. For instance, on infecting a host, a virus will often try to disable or conceal itself from anti-virus software. Many systems therefore attempt to defend themselves pre-emptively, as an attack is unfolding. Intrusion detection systems, for instance, analyze the behavior of a range of devices in order to isolate security breaches in their early stages, before they achieve extensive system compromise.
Tampering is notably problematic, for example, in security logs. An attacker can corrupt a device's log in exactly the same way that it can corrupt other defensive tools such as anti-virus software. The attacker can even remove or omit log entries that might raise suspicions of the presence of the attacker.
Tools such as forward-secure logging prevent modification of existing log entries, and thus ensure the accuracy of logs compiled prior to a security breach. For a more detailed discussion of forward-secure logging, see, for example, Mihir Bellare and Bennet Yee, “Forward-Security in Private-Key Cryptography,” Proc. of the 2003 RSA Conf. on The Cryptographers' Track (CT-RSA'03), 1-18 (Berlin, Heidelberg, 2003), incorporated by reference herein. After a breach, an attacker may compromise the logging system itself, thereby corrupting future log entries. Forward-secure logging is most valuable while an attack is unfolding, when a system has the opportunity to log signals of impending compromise, such as failed local authentication attempts, the installation of suspicious executables, and so forth. Such unmodified pre-breach log entries can furnish critical evidence of attack.
The critical window of time, however, between the first indications of an impending compromise and the compromise itself can be narrow. Log analysis tools easily overlook such short-lived periods of evidence. Many large-scale systems alter or sample logs to winnow down the floods of data that originate from large numbers of networked devices. In doing so, slivers of critical log data can be dropped.
Additionally, in a system where periods of evidence are regularly dropped, go unprocessed, or are otherwise altered, an attacker can exploit the expected existence of log-analysis gaps. The attacker can maliciously delete the entries in the critical window that carry the most compelling evidence of its presence on the machine. The resulting omission will go undetected, since the receiver cannot distinguish between missing log events that are omitted due to expected alterations and those that are deleted by the attacker.
A need therefore exists for improved techniques for signaling an intrusion after an attacker has compromised a device. For example, a need exists for improved signaling techniques that allow a device to log alerts that persist for long periods of time, and that allow a device to place alerts in its log after the device has been compromised by an attacker.